Authby is an intermediate Windows CTF challenge that features manual enumeration, hash cracking, and reverse shells! All things that you will see in Offensive Security’s Proving Grounds Practice series of vulnerable machines. This walk through only has up to initial shell access and will be updated in the next few days to include full System/Administrator access.
Started an initial scan a little differently and decided to try out the -T5 switch with the -p- and see how they differ from previous scans… turns out to be very effective!
Further enumeration of the services reveal notable information such as an Anonymous FTP login, an Apache Web Server, and RDP.
Started with FTP and manually searched around.
Found another user account ‘Offsec’ as well as the admin .uac files in the accounts directory.
Used hydra to brute force the admin account password… but had to remember how to use hydra :/
After successfully getting hydra configured, I was able to get the super secure admin credentials.
Logged in as admin and grabbed the three files above to look at them.
The location of the directory for the .htpasswd will come in handy later on.
Found the hash for the offsec user account.
Used John the Ripper to crack the hash (also had to relearn this tool).
FTP not allowing this user…
Sent a test file to attempt a file upload vulnerability, calling with the offsec user account.
Started with the tried an true pentest monkey reverse shells.
Season to taste…
Upload…
…no dice…
After researching other reverse shells, this Windows specific payload did the trick.
Third time is the charm.
Success! Got a shell!
At this point, local.txt was found under the apache user’s desktop.
Will be updating this walk through soon, please come back later for the full run down!